GDPR compliance task force - month by month steps...

The GDPR will apply from 25 May 2018 and will bring with it eye watering financial penalties for non-compliance of up to €20 million or 4% global turnover (whichever is higher).

The UK government has also proposed its own legislation (the draft Data Protection Bill) which sets out the UK specific derogations and will ensure that the GDPR continues to apply after the UK leaves the EU. The core data protection principles remain largely unchanged. However, the GDPR will introduce significant new obligations for organisations and rights for individuals. Organisations must prepare for the changes now to avoid facing the new regime of penalties and sanctions.

Together with our colleagues in the US, we have produced a series of short alerts covering the main issues that organisations will need to consider.

Our national team of experienced data protection specialists can assist your organisation with a wide range of GDPR compliance projects. Please contact a member of our team to discuss how we can help you with your specific needs.

Ten months to go - does GDPR apply to your company?

Follow our three-question flowchart to see if GDPR applies to you.

Nine months to go - should you designate a data protection officer?

Follow our five-step flowchart below to see if you need to designate a DPO:

Eight months to go - data processor GDPR checklist

A major change with the GDPR is that data processors now have direct legal obligations under EU privacy law. This is a significant shift from the current EU Directive which only directly obligates the data controllers. Non-compliant data processors face significant fines of up to 4% of global annual turnover or €20 million, whichever is higher and may be directly liable to individuals for damages.

Seven months to go - do your vendor contracts comply with GDPR?

Any entity processing personal data on your behalf (i.e., your vendors) must have a written contract in place. The GDPR requires specific language in your vendor contracts.

Six months to go - GDPR breach notification checklist

U.S. companies already face a panoply of data breach notification laws enacted by 48 States and numerous regulators. Those subject to the GDPR may soon have yet another breach notification requirement to worry about.

Follow our chart below to determine if and when you must provide notice, who you must notify, and what your notice should include.

This text leaves open plenty of questions. However, on 3 October 2017, the Article 29 Working Party issued guidelines interpreting these data breach notification requirements. Here are some of the answers:

Five months to go - rights of individuals under the GDPR

The GDPR provides enhanced rights for individuals. Below we summarize the general principles companies must follow when interacting with individuals and we identify the specific rights granted to individuals under the GDPR. We also suggest some practical steps to assist your company’s compliance with this portion of the GDPR.

Four months to go - GDPR and cross-border data transfers

If your company is a controller or processor under the GDPR (for US companies, review this flowchart), then your company must comply with the GDPR’s requirements regarding the transfer of personal data of EU individuals to any country outside of the EU/EEA.

In the absence of an adequacy decision (explained below) and subject to very limited exceptions, controllers and processors are required to ensure that an “appropriate safeguard” or another GDPR-approved mechanism is in place before sending personal data of EU individuals outside of the EU/EEA.

The table below describes the mechanisms commonly used to lawfully transfer personal data of EU individuals outside of the EU/EEA. A full list of the transfer mechanisms can be found in Article 46.

Three months to go - GDPR privacy policy checklist

If your company is a data controller under the GDPR (for US companies, follow this flowchart), then your company will need to update its privacy policy or privacy notice. Under the GDPR privacy policies must contain more detailed disclosures, while also being understandable and accessible. Even under the current privacy laws, EU regulators have demonstrated they will enforce rules on transparency in privacy disclosures. On 16 February 2018, a Belgian court threatened to fine Facebook US $125 million for failure to disclose its personal data collection practices. These fines may be steeper after 25 may since the GDPR increases the maximum penalties.

Two months to go - how will Brexit affect data privacy law & the GDPR in the UK?

Brexit, an unprecedented event

Whether Brexit takes place on 29 March 2019 or is effectively deferred until the end of a transitional period (31 December 2020) the UK will likely adopt data protection legislation which largely tracks the GDPR. There is no precedent for Brexit and it is impossible for companies to foresee every scenario that may arise and the impact it may have on data protection law in the UK. Companies which process the personal data of citizens of the UK or have operations in the UK will need to keep a close watch on the law over the coming months.

One month to go - enforcing the GDPR on US companies

At this point, it is no secret that many US companies will be subject to the GDPR. Under the GDPR, EU regulators will have the authority to punish noncompliance by imposing hefty fines, issuing injunctions, assessing bans on processing, and suspending international data transfers.

The practical impact of such enforcement measures is the ability to devastate a product, service, or business.

Top five takeaways on the GDPR

We live in a new world of EU privacy rules shaking US businesses. As of 10 months ago, many of you had not heard about the GDPR when we explained how the GDPR applies to US companies. By now your company may be on its way to GDPR compliance (but beware: see takeaway #3 below).

For those of us who have been immersed in GDPR compliance projects over the last year, it was refreshing to hear so many of our colleagues, family members and news outlets around the world pay attention to the GDPR on 25 May. But we also heard a lot of misunderstandings about the GDPR. Here are our five takeaways from the past year:

We use cookies to enhance your experience of our website. By using our website you consent to the use of cookies. For more information about cookies, please use the "Cookies" link at the bottom of the page at any time or click here.

"Womble Bond Dickinson", the “law firm” or the "firm" refers to the network of member firms of Womble Bond Dickinson (International) Limited, consisting of Womble Bond Dickinson (UK) LLP and Womble Bond Dickinson (US) LLP. Each of Womble Bond Dickinson (UK) LLP and Womble Bond Dickinson (US) LLP is a separate legal entity operating as an independent law firm. Womble Bond Dickinson (International) Limited does not practise law. Please see www.womblebonddickinson.com/legal-notices for further details.

You are switching to the United States

This selection will switch the website from presenting information primarily about the United Kingdom to information about the United States. If you would like to switch back, you may use location selection options at the top of the page.

Please make the United States my default location.

Contact

Although we would like to hear from you, we cannot represent you until we know that doing so will not create a conflict of interest. Also, we cannot treat unsolicited information as confidential. Accordingly, please do not send us any information about any legal matter until we authorize you to do so. To initiate a possible representation, please call one of our lawyers or staff members.

By clicking the “ACCEPT” button, you agree that we may review any information you transmit to us. You recognize that, even if you submit information that you consider confidential in an effort to retain us, our review of that information will not create an obligation on us to keep it confidential and will not preclude us from representing another client directly adverse to you, even in a matter where that information could and will be used against you.

Please click the “ACCEPT” button if you understand and accept the foregoing statement and wish to proceed.